On this page

Linux Security Notes - AIDE File Integrity

AIDE (Advanced Intrusion Detection Enviornment)
is a tool to check the file integrity. It is an opensource substitute
for TRIPWIRE. It allows to take snapshots of all the major configuration
files, binaries as well as libraries stats. And helps to find which
binaries have been changed in case of compromisation of the system.
This can be downloaded from http://sourceforge.net.

Download both the binaries and signature file. Import and verify the GPG keys.

Compiling and installing AIDE

Read the INSTALL doc in the source code of AIDE to get the
requirements of the packages. The mhash utility is needed prior to the
installation of AIDE. Download the mhash utility that is needed for
running AIDE. Download it from sourceforge.net.

/ R
!/var # This will make to monitor all the directories inside the "/" and will exclude the /var directory.

# aide -c aide.conf --init

This will generate a new DB for all the directories defined in the aide.conf.

Note: This will help us to trace out which file has been effected in case
any compromise happened to the system by comparison with the DB
taken prior. Once we have the aide db created it's better to burn the aide
binary config files and the aide db to any read-only medium. So this
will increase the integrity of the aide DB.

Comments

aide --init will create the new database as /var/lib/aide/aide.db.new.
You need to copy/move /var/lib/aide/aide.db.new to /var/lib/aide/aide.db
when you do --init to initialize the db and after each subsequent
--update. You can change these locations/files in the config file.